Merge pull request #357 from gkurz/merge-to-main-for-1.5

Merge to main for 1.5

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.4.0
+VERSION ?= 1.5.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

OWNERS

@@ -5,10 +5,12 @@ reviewers:
   - gkurz
   - cpmeadors
   - littlejawa
+  - snir911
 approvers:	
   - jensfr	
   - pmores
   - bpradipt
   - gkurz
   - cpmeadors
   - littlejawa
+  - snir911

api/v1/kataconfig_types.go

@@ -48,23 +48,15 @@ type KataConfigSpec struct {
 
 // KataConfigStatus defines the observed state of KataConfig
 type KataConfigStatus struct {
-	// RuntimeClass is the name of the runtime class used in CRIO configuration
-	RuntimeClass string `json:"runtimeClass"`
-
-	// TotalNodesCounts is the total number of worker nodes targeted by this CR
-	TotalNodesCount int `json:"totalNodesCount"`
-
-	// InstallationStatus reflects the status of the ongoing kata installation
+	// RuntimeClass is the names of the RuntimeClasses created by this controller
 	// +optional
-	InstallationStatus KataInstallationStatus `json:"installationStatus,omitempty"`
+	RuntimeClass []string `json:"runtimeClass"`
 
-	// UnInstallationStatus reflects the status of the ongoing kata uninstallation
 	// +optional
-	UnInstallationStatus KataUnInstallationStatus `json:"unInstallationStatus,omitempty"`
+	KataNodes KataNodesStatus `json:"kataNodes,omitempty"`
 
-	// Upgradestatus reflects the status of the ongoing kata upgrade
 	// +optional
-	Upgradestatus KataUpgradeStatus `json:"upgradeStatus,omitempty"`
+	Conditions []KataConfigCondition `json:"conditions,omitempty"`
 
 	// Used internally to persist state between reconciliations
 	// +optional
@@ -79,9 +71,9 @@ type KataConfigStatus struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=kataconfigs,scope=Cluster
-// +kubebuilder:printcolumn:name="InProgress",type=string,JSONPath=".status.installationStatus.IsInProgress",description="Status of Kata runtime installation"
-// +kubebuilder:printcolumn:name="Completed",type=integer,JSONPath=".status.installationStatus.completed.completedNodesCount",description="Number of nodes with Kata runtime installed"
-// +kubebuilder:printcolumn:name="Total",type=integer,JSONPath=".status.totalNodesCount",description="Total number of nodes"
+// +kubebuilder:printcolumn:name="InProgress",type=string,JSONPath=".status.conditions[?(@.type=='InProgress')].status",description="Status of Kata runtime installation"
+// +kubebuilder:printcolumn:name="Completed",type=integer,JSONPath=".status.kataNodes.readyNodeCount",description="Number of nodes with Kata runtime installed"
+// +kubebuilder:printcolumn:name="Total",type=integer,JSONPath=".status.kataNodes.nodeCount",description="Total number of nodes"
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=".metadata.creationTimestamp",description="Age of the KataConfig Custom Resource"
 type KataConfig struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -106,87 +98,46 @@ func init() {
 	SchemeBuilder.Register(&KataConfig{}, &KataConfigList{})
 }
 
-// KataInstallationStatus reflects the status of the ongoing kata installation
-type KataInstallationStatus struct {
-	// InProgress reflects the status of nodes that are in the process of kata installation
-	InProgress KataInstallationInProgressStatus `json:"inprogress,omitempty"`
-
-	// IsInProgress reflects the current state of installing or not installing
-	IsInProgress corev1.ConditionStatus `json:"IsInProgress,omit"`
-
-	// Completed reflects the status of nodes that have completed kata installation
-	Completed KataConfigCompletedStatus `json:"completed,omitempty"`
-
-	// Failed reflects the status of nodes that have failed kata installation
-	Failed KataFailedNodeStatus `json:"failed,omitempty"`
-}
-
-// KataInstallationInProgressStatus reflects the status of nodes that are in the process of kata installation
-type KataInstallationInProgressStatus struct {
-	// InProgressNodesCount reflects the number of nodes that are in the process of kata installation
-	InProgressNodesCount int `json:"inProgressNodesCount,omitempty"`
-	// IsInProgress reflects if installation is still in progress
-	IsInProgress bool `json:"isInProgress,omitempty"`
+type KataNodesStatus struct {
+	// Number of cluster nodes that have kata installed on them including
+	// those queued for installation and currently installing, though
+	// excluding nodes that have a kata installation but are queued for
+	// uninstallation or currently uninstalling.
 	// +optional
-	BinariesInstalledNodesList []string `json:"binariesInstallNodesList,omitempty"`
-}
-
-// KataConfigCompletedStatus reflects the status of nodes that have completed kata operation
-type KataConfigCompletedStatus struct {
-	// CompletedNodesCount reflects the number of nodes that have completed kata operation
-	CompletedNodesCount int `json:"completedNodesCount,omitempty"`
+	NodeCount int `json:"nodeCount"`
 
-	// CompletedNodesList reflects the list of nodes that have completed kata operation
+	// Number of cluster nodes that have kata installed on them and are
+	// currently ready to run kata workloads.
 	// +optional
-	CompletedNodesList []string `json:"completedNodesList,omitempty"`
-}
+	ReadyNodeCount int `json:"readyNodeCount"`
 
-// KataFailedNodeStatus reflects the status of nodes that have failed kata operation
-type KataFailedNodeStatus struct {
-	// FailedNodesCount reflects the number of nodes that have failed kata operation
-	FailedNodesCount int    `json:"failedNodesCount,omitempty"`
-	FailedReason     string `json:"failedNodesReason,omitempty"`
-
-	// FailedNodesList reflects the list of nodes that have failed kata operation
 	// +optional
-	FailedNodesList []FailedNodeStatus `json:"failedNodesList,omitempty"`
-}
-
-// KataUnInstallationStatus reflects the status of the ongoing kata uninstallation
-type KataUnInstallationStatus struct {
-	// InProgress reflects the status of nodes that are in the process of kata uninstallation
-	InProgress KataUnInstallationInProgressStatus `json:"inProgress,omitempty"`
-
-	// Completed reflects the status of nodes that have completed kata uninstallation
-	Completed KataConfigCompletedStatus `json:"completed,omitempty"`
-
-	// Failed reflects the status of nodes that have failed kata uninstallation
-	Failed KataFailedNodeStatus `json:"failed,omitempty"`
-
-	// Stores an error message if any.  Note that this is currently meant for a single
-	// failure source when kata uninstallation is blocked by existing kata-based pods, so
-	// handling of this field in the controller code is correspondingly simple.  A review
-	// might be necessary if this field were ever to store messages coming from another
-	// source.
-	ErrorMessage string `json:"errorMessage,omitempty"`
-}
+	Installed []string `json:"installed,omitempty"`
+	// +optional
+	Installing []string `json:"installing,omitempty"`
+	// +optional
+	WaitingToInstall []string `json:"waitingToInstall,omitempty"`
+	// +optional
+	FailedToInstall []string `json:"failedToInstall,omitempty"`
 
-// KataUnInstallationInProgressStatus reflects the status of nodes that are in the process of kata installation
-type KataUnInstallationInProgressStatus struct {
-	InProgressNodesCount int                    `json:"inProgressNodesCount,omitempty"`
-	IsInProgress         corev1.ConditionStatus `json:"status"`
 	// +optional
-	BinariesUnInstalledNodesList []string `json:"binariesUninstallNodesList,omitempty"`
+	Uninstalling []string `json:"uninstalling,omitempty"`
+	// +optional
+	WaitingToUninstall []string `json:"waitingToUninstall,omitempty"`
+	// +optional
+	FailedToUninstall []string `json:"failedToUninstall,omitempty"`
 }
 
-// KataUpgradeStatus reflects the status of the ongoing kata upgrade
-type KataUpgradeStatus struct {
-}
+type KataConfigConditionType string
+
+const (
+	KataConfigInProgress KataConfigConditionType = "InProgress"
+)
 
-// FailedNodeStatus holds the name and the error message of the failed node
-type FailedNodeStatus struct {
-	// Name of the failed node
-	Name string `json:"name"`
-	// Error message of the failed node reported by the installation daemon
-	Error string `json:"error"`
+type KataConfigCondition struct {
+	Type               KataConfigConditionType `json:"type"`
+	Status             corev1.ConditionStatus  `json:"status"`
+	LastTransitionTime metav1.Time             `json:"lastTransitionTime"`
+	Reason             string                  `json:"reason"`
+	Message            string                  `json:"message"`
 }

config/manager/kustomization.yaml

@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator
-  newTag: 1.3.1
+  newTag: 1.5.0

config/manager/manager.yaml

@@ -81,7 +81,7 @@ spec:
         - name: SANDBOXED_CONTAINERS_EXTENSION
           value: kata-containers
         - name: RELATED_IMAGE_CAA
-          value: quay.io/confidential-containers/cloud-api-adaptor
+          value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:latest
         - name: RELATED_IMAGE_PEERPODS_WEBHOOK
           value: "quay.io/confidential-containers/peer-pods-webhook:latest" 
         imagePullPolicy: Always

config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml

@@ -13,7 +13,7 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    olm.skipRange: '>=1.1.0 <1.4.0'
+    olm.skipRange: '>=1.1.0 <1.5.0'
     operatorframework.io/suggested-namespace: openshift-sandboxed-containers-operator
     operators.openshift.io/infrastructure-features: '["disconnected", "fips"]'
     operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
@@ -25,7 +25,7 @@ metadata:
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/os.linux: supported
-  name: sandboxed-containers-operator.v1.4.0
+  name: sandboxed-containers-operator.v1.5.0
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
@@ -365,7 +365,7 @@ spec:
   maturity: beta
   provider:
     name: Red Hat
-  version: 1.4.0
+  version: 1.5.0
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

config/peerpods/kata-remote.conf → config/peerpods/local/configuration-remote.toml

@@ -13,7 +13,8 @@
 
 [hypervisor.remote]
 remote_hypervisor_socket = "/run/peerpod/hypervisor.sock"
-remote_hypervisor_timeout = 600
+remote_hypervisor_timeout = 900
+disable_guest_selinux = true
 
 
 # Enable confidential guest support.
@@ -32,7 +33,7 @@ remote_hypervisor_timeout = 600
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
-enable_annotations = []
+enable_annotations = ["default_vcpus", "default_memory", "machine_type"]
 
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
@@ -536,6 +537,7 @@ disable_new_netns = true
 # The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=false
+static_sandbox_resource_mgmt = true
 
 # If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
 # This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.